Azure Information Protection classic client for Windows
Applies to: Active Directory Rights Management Services, Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Relevant for: Azure Information Protection classic client for Windows. For the unified labeling client, see the unified labeling client admin guide and user guide.
Note
To provide a unified and streamlined customer experience, we are sunsetting the Azure Information Protection classic client and Label Management in the Azure Portal as of March 31, 2021. No further support is provided for the classic client and maintenance versions will no longer be released.
- The classic client will be fully retired, and will stop functioning, on March 31, 2022.
- As of March 18, 2022, we are also sunsetting the AIP audit log and analytics, with a full retirement date of September 31, 2022.
For more information, see Removed and retired services.
The Azure Information Protection classic client is the original downloadable client for organizations that use Azure Information Protection to classify and protect documents and emails, or use a Rights Management service to protect their data. This client also has a viewer for organizations that don't have their own information protection infrastructure but want to consume content that has been protected by other organizations that use a Rights Management service from Microsoft.
Use the following resources for the classic client:
Note
Azure Information Protection is not currently supported on Microsoft Azure operated by 21Vianet portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.
Supported features
The this section lists the features supported by the classic client, in parallel with the comparison section for the unified labeling client and built-in labeling solution in Learn about about built-in labeling and the AIP unified labeling client.
This section also provides a more detailed comparison of supported features between the classic and unified labeling clients.
Classic client features for Office applications
| Feature area | Supported by the classic client |
|---|---|
| User experience | - Multi-language support - Information Protection bar in Office apps |
| Enforcement | - Manual labeling - Mandatory labeling - PowerShell labeling cmdlets - Customizations, such as default labels for emails, pop-up messages in Outlook, S/MIME support, and a Report an Issue option Note: Customization settings are supported as advanced client settings that you configure in the Azure portal |
| Automation | - Default labeling - Label inheritance from email attachments |
| Encryption and protection | - Recommended or automatic labeling - User-defined permissions for a label: Do Not Forward for emails and custom permissions for Word, Excel, PowerPoint - Display the Do Not Forward button in Outlook - Custom permissions set independently from a label - Protection-only mode (no labels) - Support for AD RMS - Track and revoke protected documents: Admin docs / User docs Note: Administrators can also use central reporting to identify whether protected documents are accessed from Windows computers, and whether access was granted or denied. |
| Logging and analytics | - Central reporting - Usage logging in Event Viewer |
| Visual markings | - Visual markings as a label action (header, footer, watermark) - Per-app visual markings - Dynamic visual markings with variables - Remove external content marking in apps |
| Identity | - HYOK support |
| Workload environment | - Support for Microsoft Office 97-2003 formats - Offline support for protection actions - Manual policy file management for disconnected computers - Support for Remote Desktop services |
Classic client features for outside Office applications
The following features are supported by the classic client outside of Office applications:
- Scanner for on-premises data stores
- Label with File Explorer
- A viewer for protected files (text, image, PDF, .pfile)
- PPDF support for applying labels
Detailed comparisons for the AIP clients
When the Azure Information Protection classic client and the Azure Information Protection unified labeling client both support the same feature, use the following lists to help identify some functional differences between the two clients:
AIP client feature comparisons in Office applications
User experience features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Remove applied label actions | User is prompted to confirm The default label or an automatic label (if configured) is not automatically applied next time the Office app opens the file |
User is not prompted to confirm The default label or an automatic label (if configured) is automatically applied next time the Office app opens the file |
| Label selection and display when applied in Office apps | From the Protect button on the ribbon From the Information Protection bar (horizontal bar under the ribbon) |
From the Sensitivity button on the ribbon From the Information Protection bar (horizontal bar under the ribbon) |
| Manage the Information Protection bar in Office apps | For users: Option to show or hide the bar from the Protect button on the ribbon When a user selects to hide the bar, by default, the bar is hidden in that app, but continues to automatically display in newly opened apps For admins: Policy settings to automatically show or hide the bar when an app first opens, and control whether the bar automatically remains hidden for newly opened apps after a user selects to hide the bar |
For users: Option to show or hide the bar from the Sensitivity button on the ribbon. When a user selects to hide the bar, the bar is hidden in that app and also in newly opened apps For admins: PowerShell setting to manage the bar |
| Label color | Configure in the Azure portal | Retained after label migration and configurable with PowerShell |
| Labels support different languages | Configure in the Azure portal | Configure by using Office 365 Security & Compliance PowerShell |
| Justification prompts (if configured) per action in Office | - Frequency: Per file - Lowering the sensitivity level - Removing a label - Removing protection |
- Frequency: Per session - Lowering the sensitivity level - Removing a label |
Enforcement features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Setup | Option to install local demo policy | No local demo policy |
| Policy update | - When an Office app opens - When you right-click to classify and protect a file or folder - When you run the PowerShell cmdlets for labeling and protection - Every 24 hours - For the scanner: Every hour and when the service starts and the policy is older than one hour |
- When an Office app opens - When you right-click to classify and protect a file or folder - When you run the PowerShell cmdlets for labeling and protection - Every 4 hours - For the scanner: Every 4 hours |
| Order support for sublabels on attachments | Enabled with an advanced client setting | Enabled by default, no configuration required |
Automation features
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Automatic and recommended labels | Configured as label conditions in the Azure portal with built-in information types and custom conditions that use phrases or regular expressions Configuration options include: - Unique / Not unique count - Minimum count |
Configured in the Microsoft 365 compliance center with built-in sensitive information types and custom information types Configuration options include: - Unique count only - Minimum and maximum count - AND and OR support with information types - Keyword dictionary - Customizable confidence level and character proximity |
| Change the default protection behavior for file types | Use registry edits to override the defaults of native and generic protection | Use PowerShell to change which file types get protected |
AIP client feature comparisons outside of Office applications
| Functionality | Classic client | Unified labeling client |
|---|---|---|
| Supported formats for PDF | Protection: - ISO standard for PDF encryption (default) - .ppdf Consumption: - ISO standard for PDF encryption - .ppdf - SharePoint IRM protection |
Protection: - ISO standard for PDF encryption Consumption: - ISO standard for PDF encryption - .ppdf - SharePoint IRM protection |
| Generically protected files (.pfile) opened with the viewer | File opens in the original app where it can then be viewed, modified, and saved without protection | File opens in the original app where it can then be viewed and modified, but not saved |
| Supported cmdlets | - Cmdlets for labeling - Cmdlets for protection-only |
Cmdlets for labeling:Set-AIPFileClassification and Set-AIPFileLabel don't support the Owner parameter In addition, there is a single comment of "No label to apply" for all scenarios where a label isn't applied Set-AIPFileClassification supports the WhatIf parameter, so it can be run in discovery mode Set-AIPFileLabel doesn't support the EnableTracking parameter Get-AIPFileStatus doesn't return label information from other tenants and doesn't display the RMSIssuedTime parameter In addition, the LabelingMethod parameter for Get-AIPFileStatus displays Privileged or Standard, instead of Manual or Automatic. |
| Automatic rescans | Full rescans are automatically run every time the scanner detects a change in policy or labeling settings | Starting in version 2.8.85.0, administrators can choose to skip a full rescan after making changes to policy or content scan job settings. |
| Network discovery (Public preview) | Network discovery features are unavailable for the classic scanner | Administrators can discover additional risky repositories by scanning a specified IP address or range. |
Features provided for the classic client that are not planned for the unified labeling client
The following features and behavior differences from the classic client are not currently planned to be available in future releases for the unified labeling client:
Custom permissions as a separate option that users can select in Office apps: Word, Excel, and PowerPoint
The Sensitivity toolbar does not show the Sensitivity title, nor a title tooltip. The bar itself is displayed in the unified labeling client.
Protection-only mode (no labels) using templates
Protect PDF document as .ppdf (older format)
Display the Do Not Forward button in Outlook
Demo policy
Separate PowerShell cmdlets to connect to a Rights Management service
Display of the user identity that applied a label